Linux下OpenVPN的安装

首先下载编译必须的软件源码包

yum install pam-devel.x86_64
mkdir /root/openvpn
cd /root/openvpn
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
tar zxvf lzo-2.09.tar.gz
cd lzo-2.09
./configure && make && make install
cd ../
wget https://swupdate.openvpn.org/community/releases/openvpn-2.0.9.tar.gz
tar zxvf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure && make && make install
cd ../

执行上述命令完成编译工作之后,接下来是配置OpenVPN的证书步骤。

mkdir -p /etc/openvpn
cp -R /root/openvpn/openvpn-2.0.9/easy-rsa /etc/openvpn
export D=/etc/openvpn/easy-rsa
export KEY_CONFIG=$D/openssl.cnf 
export KEY_DIR=$D/keys 
export KEY_SIZE=1024 
export KEY_COUNTRY=CN 
export KEY_PROVINCE=GD 
export KEY_CITY=GZ 
export KEY_ORG="yyy.com" 
export KEY_EMAIL="yyy.com"
/usr/local/sbin/openvpn --genkey --secret ta.key
mkdir -p /etc/openvpn/easy-rsa/keys
cp ta.key /etc/openvpn/easy-rsa/keys/
cd /etc/openvpn/easy-rsa/
./clean-all

完成上述指令后,接下来是build ca,执行下面的命令,然后一路回车即可。

./build-ca

为vpn server生成证书与密匙,Common Name 处填server,其他默认。”Sign the certificate?
[y/n]” 和”1 out of 1 certificate requests certified, commit? [y/n]”两处选y。

./build-key-server server

为vpn clients 生成证书与密匙,Common Name 处填client1,别的同vpn server 设置。
注意:一个client只能用一个证书,如果有多个client链接OpenVPN,请重复生成vpn client的步骤即可。

./build-key client1

生成diffie hellman 参数

./build-dh

配置vpn server的配置文件,

mkdir -p /etc/openvpn/config
vi /etc/openvpn/config/server.conf

将下面的内容copy到server.conf里面,注意将local中的IP改为你自己的VPN Server IP,将port中的端口改为你设置的VPN Server的port。

local  1.1.1.1  
port 8081
proto tcp-server
#proto udp

dev tap
;dev tun

;dev-node MyTap

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

server 10.169.30.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/easy-rsa/keys/ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;route 10.169.0.0 255.255.0.0


client-config-dir /etc/openvpn/config/ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"

;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status /var/log/openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
log /var/log/openvpn.log


verb 3

分配固定IP给client,如不需要,请忽略这一步。
注意:client1是之前build client key的common name

mkdir -p /etc/openvpn/config/ccd
cd /etc/openvpn/config/ccd
vi client1

将下面的内容复制到client1中,本例中,指定链接上来的client1的IP固定分配为10.169.30.2

ifconfig-push 10.169.30.2 255.255.255.0

启动openvpn server,启动后,输入ifconfig,如看到有tap的网卡即表明,openvpn server启动正常。

/usr/local/sbin/openvpn --config /etc/openvpn/config/server.conf &

设置OpenVPN访问外网的路由。VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet。

iptables -t nat -A POSTROUTING -s 10.169.30.0/24 -o eth0 -j MASQUERADE
/etc/init.d/iptables save 
/etc/init.d/iptables restart

同时, 需要将 ip forward 打开,

sysctl -w net.ipv4.ip_forward=1
/sbin/sysctl -p

接下来,编译open vpn client,
软件编译工作同sever。编完之后,需要把server生成的相关证书copy到client的/etc/openvpn/easy-rsa/keys/ 目录下,这里面需要拷贝的是ca开头的文件、client1开头的文件以及ta.key

mkdir -p /etc/openvpn/config/
vi /etc/openvpn/config/client.conf

client的配置文件client.conf如下,注意将local中的IP改为你自己的VPN Server IP,将port中的端口改为你设置的VPN Server的port。

client

#dev tun
dev tap

proto tcp-client

remote 1.1.1.1 8081

resolv-retry infinite

nobind

;push "redirect-gateway def1 bypass-dhcp"
;route 10.167.0.0 255.255.0.0
#route 10.169.1.0 255.255.255.0

#user nobody

#group nobody

#persist-key

#persist-tun

mute-replay-warnings
;redirect-gateway

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/client1.crt

key  /etc/openvpn/easy-rsa/keys/client1.key

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 1

log /var/log/open.log
keepalive 10 120

comp-lzo

#pull dhcp-options

verb 4

启动client1上的openvpn,如果看到有tap网卡,同时IP是10.169.30.2,即表示连上了openvpn服务器。

/usr/local/sbin/openvpn --config /etc/openvpn/config/client.conf &

除非注明,本博客文章均为原创,转载请以链接形式标明本文地址

本文地址: http://blog.cnwyhx.com/linux-install-openvpn/

Leave a Reply